§ 164.314 Organizational requirements
HIPAA Survival Guide Note
These requirements parallel, for ePHI, the organizational requirements of the HIPAA Privacy Rule in section §164.504 concerning PHI in general, particularly as it relates to business associate contracts.
§ 164.316 Policies and procedures and documentation requirements
HIPAA Survival Guide Note
§ 164.318 Compliance dates for the initial implementation of the security standards
A covered health care provider must comply with the applicable requirements of this subpart no later than April 20, 2005.
HIPAA Security Rule Commentary in General
This is a gross over simplification of the HIPAA Security Rule. To a large degree providers will, of necessity, have to rely on trusted partners, software vendors and others, in order to meet their security compliance objectives. The HIPAA Security Rule will likely play an even more prominent role going forward as the Obama administration continues to push for a national health care infrastructure that underpins the effective exchange of electronic medical records.
We expect that HHS will continue to provide guidance and to make additional resources available that support a provider's "good faith" efforts to comply. This guidance will hopefully provide a common sense road map that cuts through the technical obfuscation of the HIPAA Security Rule, as currently written. There is indeed a sense that the Obama administration understands that real "administrative simplification" is required in order to achieve its objective of transforming the health care industry. HIPAA itself is unlikely to change (in fact the HITECH Act makes certain provisions more stringent) but hopefully we will see HHS doing a more effective job of industry outreach.
Small providers may benefit enormously, vis-à-visSecurity Rule compliance simplification, to the degree that they use Internet hosted solutions. The principal reason is that a hosted solution can dramatically reduce the ePHI infrastructure that a provider directly controls, and shifts some of the burden of the specifications to the partner (e.g. data backups and disaster recovery). However, it should be clear that it remains the provider's responsibility to comply. In so doing, it is imperative that providers understand enough about compliance issues in order to ask the right questions of their trusted partners, and ensure that the required agreements are in place (e.g. business associate contracts).
Finally, because the HIPAA Security Rule contains so much technical jargon, many providers may be at a complete loss as to where to begin developing a "good story." Remember that as a practical matter compliance perpetually exists along a continuum. The most difficult step is likely the first-simply getting started. Given that, we recommend that you start with the administrative safeguards, and specifically with the "risk analysis" and "risk management" specifications, since these two will drive other parts of the strategy. HHS has developed a list of questions to help you get started (see the Appendix). Also, it's important to keep in mind that a plan to develop a story is preferable to no story at all.